Cybersecurity researcher discovers a method to bypass lockscreen on Pixel gadgets

Cybersecurity researcher David Schutz has found out a major vulnerability that permits somebody to circumvent the lock display screen on a Pixel smartphone. In step with Schutz, the one factor an attacker wishes to circumvent the lock display screen is a SIM card and get entry to to the software. In his weblog publish, he provides that the “vulnerability is tracked as CVE-2022-20465 and it would have an effect on different Android distributors as smartly.” It’s not transparent if different telephone producers also are impacted. Take into account that he was once handiest in a position to create and recreate the flaw on a Pixel software.

“I discovered a vulnerability affecting apparently all Google Pixel telephones the place for those who gave me any locked Pixel software, I may give it again to you unlocked,” wrote Schutz in a weblog publish documenting the vulnerability.

He added that Google has patched the vulnerability in a safety replace launched on November 5, 2022.

Discovering one thing unsuitable with Android

The found out the vulnerability when his telephone ran out of battery at some point. On the time, he attached the software’s charger and booted up the telephone. As soon as he did this, he was once requested to go into the protection PIN for the SIM card that was once within the telephone. Since he didn’t commit it to memory as it should be on the time, he ended up getting into the PIN incorrectly thrice.

At this level, the SIM card were given locked and Schutz had to go into the SIM’s PUK code with the intention to unencumber it. After he entered the PUK code, the telephone requested him to go into a brand new PIN. After he did that, he spotted one thing ordinary. The telephone was once exhibiting the fingerprint icon, which was once now not meant to occur.

Generally, after a telephone is rebooted, it is going to now not first of all settle for fingerprint unlocking except the software’s pin code or password has been entered once or more. However the telephone accredited Schutz’s fingerprint, after which it were given caught on a display screen till he rebooted it once more.

Finding the vulnerability

He then attempted to duplicate the method with out rebooting the telephone. He got rid of the SIM tray of the telephone whilst it was once nonetheless switched on and reinserted the tray. He incorrectly entered the PIN thrice, then entered the PUK and set a brand new PIN. At this level, the telephone took him to the unlocked house display screen, even supposing the software was once locked prior to.

Schutz then repeated the method a couple of occasions and were given the similar end result every time—the telephone were given unlocked regardless of him now not getting into the password or the use of his fingerprint.

In step with Schutz, he first of all reported the vulnerability to Google in June this yr. It’s been fastened in a safety patch launched on November 5.

Supply Via